I've inherited a project that has gone through a security audit. One thing they found is that the session ID is not updating after login and this opens the application up to a Session Fixation attack.
My problem is one of timing it appears. The default.aspx.vb handles the login click and checks the credentials against the database. If login succeeds, the app loads a class that it calls GlobalTransfer which essentially stores a ton of properties that can be accessed throughout the app. It stores this object into the session. My problem is that the couple of methods I have found to update/kill/reset a session don't fire until after default.aspx.vb is finished running:
- Session.Abandon doesnt call the Session_OnEnd event until the page is finished processing
- Using SessionIDManager.SaveSessionID adds the new ID to the HTTP Response, but it appears this doesn't show up in the process until the next page call
I've added the SaveSessionID call to the Page_Load of my default.aspx.vb figuring it didn't matter if a new session ID was generated everytime default is run, just as long as the last session generated sticks for the rest of the session. However, somehow the session ID is still not changing until after the login handler is completed. Here is an example from my Page_Load call:
So when I first come to the default page, strTest is "hjkqn41huzavksq3idtaiujs"
I enter credentials to login and click the button, the Page_Load fires which should update the SessionID, but the strTest value is still "hjkqn41huzavksq3idtaiujs"
So then it goes through all the login handling, saves the GlobalTransfer, redirects to frmOne.aspx and NOW the Session ID is "dtchgyu2jfehifvivw31gel1"
So at this point the GlobalTransfer data is all lost
Anyone have a solution that will update the SessionID instantly?
My problem is one of timing it appears. The default.aspx.vb handles the login click and checks the credentials against the database. If login succeeds, the app loads a class that it calls GlobalTransfer which essentially stores a ton of properties that can be accessed throughout the app. It stores this object into the session. My problem is that the couple of methods I have found to update/kill/reset a session don't fire until after default.aspx.vb is finished running:
- Session.Abandon doesnt call the Session_OnEnd event until the page is finished processing
- Using SessionIDManager.SaveSessionID adds the new ID to the HTTP Response, but it appears this doesn't show up in the process until the next page call
I've added the SaveSessionID call to the Page_Load of my default.aspx.vb figuring it didn't matter if a new session ID was generated everytime default is run, just as long as the last session generated sticks for the rest of the session. However, somehow the session ID is still not changing until after the login handler is completed. Here is an example from my Page_Load call:
Code:
Dim Manager As New SessionIDManager()
Dim NewID As String = Manager.CreateSessionID(Context)
Dim OldID As String = Context.Session.SessionID
Dim redirected As Boolean = False
Dim IsAdded As Boolean = False
Manager.SaveSessionID(Context, NewID, redirected, IsAdded)
Dim strTest As String = Session.SessionIDSo when I first come to the default page, strTest is "hjkqn41huzavksq3idtaiujs"
I enter credentials to login and click the button, the Page_Load fires which should update the SessionID, but the strTest value is still "hjkqn41huzavksq3idtaiujs"
So then it goes through all the login handling, saves the GlobalTransfer, redirects to frmOne.aspx and NOW the Session ID is "dtchgyu2jfehifvivw31gel1"
So at this point the GlobalTransfer data is all lost
Anyone have a solution that will update the SessionID instantly?
